Protect Your PIX

Keep your PIX firewall secure! In part 5 of our series of excerpts from the Cisco Press book, Cisco Secure Internet Security Solutions, you'll learn all about AAA authorization and why two DMZs are better than one.

Dual DMZ with AAA Authentication
This section introduces AAA authorization and creates two DMZs. This section focuses on the PIX configuration aspects of AAA. This section also introduces a failover PIX and access lists into this configuration.

Figure 4-8 shows how this network is configured. Notice that there are two PIX Firewalls, a primary and a failover. Should the primary PIX fail, the failover PIX takes over all of the duties of the primary PIX. You also have two DMZs, the public and the accounting DMZs.
The accounting DMZ is used for clients on the Internet to access the accounting data for
the services.

Figure 4-8: Dual DMZ Configuration(Click image for larger view in a new window)

Although there is a failover cable that connects the serial ports on the firewalls, you also
added a hub on the inside interfaces to allow connectivity between the firewalls and the
interior router in order to save interfaces on the interior router. You did the same between
the outside interfaces of the firewalls and the exterior router. Both PIX Firewalls must have
connectivity to both DMZs for the failover PIX to operate correctly, should the primary fail.